Synchronize LDAP with Azure AD

%3CLINGO-SUB%20id%3D%22lingo-sub-2731620%22%20slang%3D%22en-US%22%3ESynchronize%20LDAP%20with%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2731620%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20requirement%20to%20synchronize%20a%20Generic%20LDAP%20system%20such%20as%20389DirectoryServer%2FOpenLDAP%2C%20with%20Azure%20AD%20exist%2C%20although%20not%20often.%20However%2C%20guides%20on%20synchronization%20between%20LDAP%20and%20Azure%20AD%20are%20scarcely%20found%20and%20are%20difficult%20to%20configure%20in%20practice.%20So%2C%20I%20hope%20that%20better%20information%20related%20to%20this%20will%20be%20shared.%3CBR%20%2F%3E%3CBR%20%2F%3ELet%20me%20share%20the%20synchronization%20configuration%20between%20LDAP%20and%20Azure%20AD%20that%20I%20succeeded.%3CBR%20%2F%3E%3CBR%20%2F%3EFirst%2C%20I%20built%20an%20OpenLDAP%20server%20and%20created%20an%20account%20to%20synchronize.%20And%20I%20installed%20AzureAD%20Connect%20on%20the%20same%20server.%20Of%20course%2C%20it%20doesn't%20matter%20if%20the%20server%20is%20separated.%20Also%2C%20the%20AzureADConnect%20server%20does%20not%20need%20to%20be%20AD%20joined%20at%20all.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22PyungraeCho_0-1631978483696.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311264iDE4AC01B1C7CF5A7%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22PyungraeCho_0-1631978483696.png%22%20alt%3D%22PyungraeCho_0-1631978483696.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EAfter%20component%20installation%2C%20stop%20installation%20at%20the%20sign-in%20selection%20phase.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22PyungraeCho_1-1631978542179.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311265iF2CAC1BF5B7E90F1%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22PyungraeCho_1-1631978542179.png%22%20alt%3D%22PyungraeCho_1-1631978542179.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EWhen%20Azure%20AD%20Connect%20is%20run%20as%20LDAP%20mode%20via%20command%2C%20the%20Sign-In%20settings%20will%20only%20look%20like%20%22Do%20not%20configure%22.%20That%20is%2C%20if%20OpenLDAP%20is%20used%2C%20PHS%20and%20PTA%20cannot%20be%20configured%2C%20and%20Federation%20must%20also%20be%20configured%20manually.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22PyungraeCho_2-1631978590233.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311266i6B7131298E3054D9%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22PyungraeCho_2-1631978590233.png%22%20alt%3D%22PyungraeCho_2-1631978590233.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22PyungraeCho_3-1631978609911.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311267iEAF489BB5440967D%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22PyungraeCho_3-1631978609911.png%22%20alt%3D%22PyungraeCho_3-1631978609911.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20reference%2C%20to%20manually%20create%20a%20Federation%20of%20Azure%20AD%2C%20the%20%22Set-MsolDomainAuthentication%22%20PowerShell%20command%20can%20be%20used.%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fmsonline%2Fset-msoldomainauthentication%3Fview%3Dazureadps-1.0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ESet-MsolDomainAuthentication%20(MSOnline)%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EThe%20Directory%20type%20was%20checked%20as%20LDAP(not%20AD)%2C%20and%20the%20hostname%20and%20authentication%20method%20were%20selected.%20The%20authentication%20type%20can%20be%20changed%20if%20LDAP%20is%20configured%20with%20SSL%2FTSL.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22PyungraeCho_4-1631978705701.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311268i49D922B174C952AA%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22PyungraeCho_4-1631978705701.png%22%20alt%3D%22PyungraeCho_4-1631978705701.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EDuring%20installation%2C%20'_distinguishedName'%20was%20specified%20in%20the%20%22source%20anchor%22%20configuration%20step.%20Unlike%20Active%20Directory%2C%20attribute%20such%20as%20objectGUID%20do%20not%20exist%20in%20OpenLDAP%2C%20so%20the%20source%20anchor%20must%20be%20specified.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22PyungraeCho_5-1631978733522.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311269i9D752EA3B18C514C%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22PyungraeCho_5-1631978733522.png%22%20alt%3D%22PyungraeCho_5-1631978733522.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EAt%20the%20last%20stage%20of%20installation%2C%20an%20error%20as%20shown%20in%20the%20figure%20is%20always%20checked%20and%20the%20installation%20work%20cannot%20be%20completed.%20It%20is%20an%20error%20that%20the%20'JoinFilter'%20could%20not%20be%20configured%20while%20creating%20a%20sync%20rule.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22PyungraeCho_6-1631978763745.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311271i211ED8CCED8D33A6%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22PyungraeCho_6-1631978763745.png%22%20alt%3D%22PyungraeCho_6-1631978763745.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EI%20had%20to%20manually%20proceed%20with%20the%20remaining%20configuration.%20Make%20a%20note%20of%20the%20sync%20rule%20ID%20identified%20in%20the%20error%20at%20the%20last%20stage%20of%20wizard%20installation.%20In%20the%20picture%20above%2C%20it%20is%20identified%20as%20'37522~783d'.%3CBR%20%2F%3E%3CBR%20%2F%3EStart%20the%20%E2%80%98Synchronization%20Service%20Manager%E2%80%99%20tool%2C%20change%20the%20binding%20account%2C%20specify%20the%20location%20to%20sync%20to%2C%20and%20then%20perform%20%22Full%20Import%22%20to%20confirm%20that%20the%20account%20has%20been%20imported.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22PyungraeCho_7-1631978818179.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311273i708D867EBE9EE24F%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22PyungraeCho_7-1631978818179.png%22%20alt%3D%22PyungraeCho_7-1631978818179.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22PyungraeCho_8-1631978836232.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311274iFE242E061D9BEAB4%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22PyungraeCho_8-1631978836232.png%22%20alt%3D%22PyungraeCho_8-1631978836232.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22PyungraeCho_9-1631978857112.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311275i75CF2E3B67AA3BD0%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22PyungraeCho_9-1631978857112.png%22%20alt%3D%22PyungraeCho_9-1631978857112.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EManually%20create%20the%20erroneous%20sync%20rule%20in%20the%20last%20step%20when%20installing%20with%20the%20wizard.%3CBR%20%2F%3EThere%20is%20a%20PowerShell%20script%20that%20creates%20a%20sync%20rule%20in%20the%20C%3A%5CProgramData%5CAADConnet%20directory.%20Open%20this%20script%2C%20find%20the%20location%20where%20PowerShell%20starts%20and%20ends%20related%20to%20the%20ID%20recorded%20earlier%2C%20and%20copy%20them%20all.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22PyungraeCho_10-1631978882953.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311276i668ADC11A964EC5E%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22PyungraeCho_10-1631978882953.png%22%20alt%3D%22PyungraeCho_10-1631978882953.png%22%20%2F%3E%3C%2FSPAN%3EAdd%20the%20following%20command%20right%20before%20%22Add-ADSyncRule%22%20among%20the%20copied%20PowerShell%20commands.%20Also%2C%20I%20added%20a%20provisioning%20item%20from%20OpenLDAP's%20mail%20value%20to%20the%20userPrincipalName%20value%20of%20metaverse%2C%20and%20used%20the%20source%20anchor%20information%20(_distinguishedName)%20specified%20in%20the%20join%20filter.%3CBR%20%2F%3E%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%3CBR%20%2F%3EAdd-ADSyncAttributeFlowMapping%20%60%3CBR%20%2F%3E-SynchronizationRule%20%24syncRule%5B0%5D%20%60%3CBR%20%2F%3E-Source%20%40('mail')%20%60%3CBR%20%2F%3E-Destination%20'userPrincipalName'%20%60%3CBR%20%2F%3E-FlowType%20'Direct'%20%60%3CBR%20%2F%3E-ValueMergeType%20'Update'%20%60%3CBR%20%2F%3E-OutVariable%20syncRule%3CBR%20%2F%3E%3CBR%20%2F%3ENew-Object%20%60%3CBR%20%2F%3E-TypeName%20'Microsoft.IdentityManagement.PowerShell.ObjectModel.JoinCondition'%20%60%3CBR%20%2F%3E-ArgumentList%20'_distinguishedName'%2C'sourceAnchor'%20%60%3CBR%20%2F%3E-OutVariable%20condition0%3CBR%20%2F%3E%3CBR%20%2F%3EAdd-ADSyncJoinConditionGroup%20%60%3CBR%20%2F%3E-SynchronizationRule%20%24syncRule%5B0%5D%20%60%3CBR%20%2F%3E-JoinConditions%20%40(%24condition0%5B0%5D)%20%60%3CBR%20%2F%3E-OutVariable%20syncRule%3CBR%20%2F%3E%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22PyungraeCho_11-1631978913628.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311277i8D6B92812E48D3F8%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22PyungraeCho_11-1631978913628.png%22%20alt%3D%22PyungraeCho_11-1631978913628.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EIf%20the%20sync%20rule%20is%20normally%20created%2C%20it%20is%20checked%20in%20the%20%E2%80%98Synchronization%20Rules%20Editor%E2%80%99.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22PyungraeCho_12-1631978935605.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311278i30940BC66D96E315%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22PyungraeCho_12-1631978935605.png%22%20alt%3D%22PyungraeCho_12-1631978935605.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EPerform%20%22Full%20Sync%22%20for%20LDAP%20in%20the%20Synchronization%20Service%20Manager%20and%20check%20the%20attribute%20information%20stored%20in%20the%20metaverse.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22PyungraeCho_13-1631978967065.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311279iA02952C0B7194AEE%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22PyungraeCho_13-1631978967065.png%22%20alt%3D%22PyungraeCho_13-1631978967065.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22PyungraeCho_14-1631978995644.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311280i2F287D22761956ED%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22PyungraeCho_14-1631978995644.png%22%20alt%3D%22PyungraeCho_14-1631978995644.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3ECreate%20an%20outbound%20rule%20to%20synchronize%20information(Source)%20of%20the%20metaverse%20to%20Azure%20AD%20information%20(Target).%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22PyungraeCho_15-1631979037672.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311281i58C6D5FC8956B67A%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22PyungraeCho_15-1631979037672.png%22%20alt%3D%22PyungraeCho_15-1631979037672.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22PyungraeCho_16-1631979051812.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311282i6E93AD4D19706A4D%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22PyungraeCho_16-1631979051812.png%22%20alt%3D%22PyungraeCho_16-1631979051812.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22PyungraeCho_17-1631979070307.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311283iF68C14CC422467CA%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22PyungraeCho_17-1631979070307.png%22%20alt%3D%22PyungraeCho_17-1631979070307.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22PyungraeCho_18-1631979084058.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311284i98B4BE71EEBC6915%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22PyungraeCho_18-1631979084058.png%22%20alt%3D%22PyungraeCho_18-1631979084058.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EAfter%20performing%20%22Export%22%20synchronization%20to%20Azure%20AD%2C%20accounts%20synchronized%20in%20OpenLDAP%20finally%20are%20checked%20in%20the%20Azure%20portal.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22PyungraeCho_19-1631979115421.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311285i34D96AA994959D14%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22PyungraeCho_19-1631979115421.png%22%20alt%3D%22PyungraeCho_19-1631979115421.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22PyungraeCho_20-1631979136025.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311286i2D294CBE89311BDC%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22PyungraeCho_20-1631979136025.png%22%20alt%3D%22PyungraeCho_20-1631979136025.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22PyungraeCho_21-1631979155407.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311287i298BCD9848C894A1%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22PyungraeCho_21-1631979155407.png%22%20alt%3D%22PyungraeCho_21-1631979155407.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EIf%20you%20know%20of%20an%20easier%20way%20than%20this%20or%20a%20way%20to%20complete%20the%20configuration%20normally%20in%20the%20wizard%2C%20please%20share.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2731620%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

The requirement to synchronize a Generic LDAP system such as 389DirectoryServer/OpenLDAP, with Azure AD exist, although not often. However, guides on synchronization between LDAP and Azure AD are scarcely found and are difficult to configure in practice. So, I hope that better information related to this will be shared.

Let me share the synchronization configuration between LDAP and Azure AD that I succeeded.

First, I built an OpenLDAP server and created an account to synchronize. And I installed AzureAD Connect on the same server. Of course, it doesn't matter if the server is separated. Also, the AzureADConnect server does not need to be AD joined at all.

PyungraeCho_0-1631978483696.png


After component installation, stop installation at the sign-in selection phase.

PyungraeCho_1-1631978542179.png


When Azure AD Connect is run as LDAP mode via command, the Sign-In settings will only look like "Do not configure". That is, if OpenLDAP is used, PHS and PTA cannot be configured, and Federation must also be configured manually.

PyungraeCho_2-1631978590233.png

PyungraeCho_3-1631978609911.png

 

For reference, to manually create a Federation of Azure AD, the "Set-MsolDomainAuthentication" PowerShell command can be used.
Set-MsolDomainAuthentication (MSOnline) | Microsoft Docs


The Directory type was checked as LDAP(not AD), and the hostname and authentication method were selected. The authentication type can be changed if LDAP is configured with SSL/TSL.

PyungraeCho_4-1631978705701.png


During installation, '_distinguishedName' was specified in the "source anchor" configuration step. Unlike Active Directory, attribute such as objectGUID do not exist in OpenLDAP, so the source anchor must be specified.

PyungraeCho_5-1631978733522.png


At the last stage of installation, an error as shown in the figure is always checked and the installation work cannot be completed. It is an error that the 'JoinFilter' could not be configured while creating a sync rule.

PyungraeCho_6-1631978763745.png


I had to manually proceed with the remaining configuration. Make a note of the sync rule ID identified in the error at the last stage of wizard installation. In the picture above, it is identified as '37522~783d'.

Start the ‘Synchronization Service Manager’ tool, change the binding account, specify the location to sync to, and then perform "Full Import" to confirm that the account has been imported.

PyungraeCho_7-1631978818179.png

PyungraeCho_8-1631978836232.png

PyungraeCho_9-1631978857112.png


Manually create the erroneous sync rule in the last step when installing with the wizard.
There is a PowerShell script that creates a sync rule in the C:\ProgramData\AADConnet directory. Open this script, find the location where PowerShell starts and ends related to the ID recorded earlier, and copy them all.

PyungraeCho_10-1631978882953.pngAdd the following command right before "Add-ADSyncRule" among the copied PowerShell commands. Also, I added a provisioning item from OpenLDAP's mail value to the userPrincipalName value of metaverse, and used the source anchor information (_distinguishedName) specified in the join filter.
#################################################################
Add-ADSyncAttributeFlowMapping `
-SynchronizationRule $syncRule[0] `
-Source @('mail') `
-Destination 'userPrincipalName' `
-FlowType 'Direct' `
-ValueMergeType 'Update' `
-OutVariable syncRule

New-Object `
-TypeName 'Microsoft.IdentityManagement.PowerShell.ObjectModel.JoinCondition' `
-ArgumentList '_distinguishedName','sourceAnchor' `
-OutVariable condition0

Add-ADSyncJoinConditionGroup `
-SynchronizationRule $syncRule[0] `
-JoinConditions @($condition0[0]) `
-OutVariable syncRule
#################################################################

PyungraeCho_11-1631978913628.png


If the sync rule is normally created, it is checked in the ‘Synchronization Rules Editor’.

PyungraeCho_12-1631978935605.png


Perform "Full Sync" for LDAP in the Synchronization Service Manager and check the attribute information stored in the metaverse.

PyungraeCho_13-1631978967065.png

PyungraeCho_14-1631978995644.png


Create an outbound rule to synchronize information(Source) of the metaverse to Azure AD information (Target).

PyungraeCho_15-1631979037672.png

PyungraeCho_16-1631979051812.png

PyungraeCho_17-1631979070307.png

PyungraeCho_18-1631979084058.png


After performing "Export" synchronization to Azure AD, accounts synchronized in OpenLDAP finally are checked in the Azure portal.

PyungraeCho_19-1631979115421.png

PyungraeCho_20-1631979136025.png

PyungraeCho_21-1631979155407.png


If you know of an easier way than this or a way to complete the configuration normally in the wizard, please share.

0 Replies